Versions Compared

Old Version 1

changes.mady.by.user Tobias Kaupat

Saved on

compared with

New Version Current

changes.mady.by.user Tobias Kaupat

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Warning

Do not send the resulting private key file platform.key to anyone.

Create CSR

The following files need to be created next to the platform.key file.

Create a file named csr-settings.sh with the following content:

Code Block
titlecsr-settings.sh
# Settings file for CSR
# Adjust according to server.

# C: Country, 2 letter code, upper case. examples: "DE", "BG", "CH"
export C="DE"
# ST: State or Province Name, e.g. "Hamburg", "Maryland", "Zug"
export ST="Hamburg"
# O: Organisation, e.g.: "Lobaro GmbH", "Example Corp."
export O="Lobaro GmbH"
# CN: Common Name, the Domain the platform runs on, e.g., "platform.lobaro.com"
# Can also be an IP address (only do this in secure environments where the IP will never change, e.g. in you VPN)
export CN="backend.lobaro.com"

Create a file names locert-csr.sh with the following content:

Code Block
#!/bin/bash

# abort on any error
set -e

#
KEY="platform.key"
# name of the file the CSR settings are put:
SETTINGS="csr-settings.sh"

function abort {
  echo "Abort."
  exit
}

# check if key exists
if [[ ! -f "$KEY" ]]; then
  echo "Key file '$KEY' missing."
  echo "run 'openssl ecparam -name prime256v1 -genkey -noout -out $KEY' to create key."
  echo "run 'openssl ecparam -name prime256v1 -genkey -noout | openssl ec -aes256 -out $KEY' to create encrypted key."
  abort
fi

# check if key is key
if [[ $(file -b "$KEY") != "PEM EC private key" ]]; then
  echo "Key file '$KEY' does not seem to be EC private key."
  abort
fi

# if settings file is missing
if [[ ! -f $SETTINGS ]]; then
  echo "csr-settings missing, please create '${SETTINGS}"
  exit
fi

echo "loading CSR settings from ${SETTINGS}"
. ./${SETTINGS}

# verify settings
GOOD=1
if [[ ! $C =~ ^[A-Z]{2}$ ]]; then
  echo "C must two upper case letters."
  GOOD=0
fi
if [[ ! $ST =~ ^[^/=]+$ ]]; then
  echo "ST is invalid."
  GOOD=0
fi
if [[ ! $O =~ ^[^/=]+$ ]]; then
  echo "O is invalid."
  GOOD=0
fi
if [[ ! $CN =~ ^[a-z0-9\-]+(\.[a-z0-9]+)+$ ]]; then
  echo "CN is invalid. '${CN}'"
  GOOD=0;
fi
if [[ $GOOD != 1 ]]; then
  echo "Please fix ${SETTINGS}."
  abort
fi

# Prepare CSR
SUBJ="/C=${C}/ST=${ST}/O=${O}/CN=${CN}"
echo "Subject is '${SUBJ}'"
CSR="${CN}.csr"

# Generate CSR
echo "Generating CSR in ${CSR}."
openssl req -new -key platform.key -sha256 -subj "${SUBJ}" -out "${CSR}"
  • Execute locert-csr.sh
  • Send the created *.csr to lobaro.

Request Certificate from Lobaro

Send the CSR to support@lobaro.de to receive a valid certificate for your Server.

Install the signed Certificate in the Platform

...

Update "-subj" parameter in the command below according to you server and organisation.

  • C is Country Name: e.g. C=DE
  • ST is State or Province Name (full name): e.g. ST=Hamburg
  • O is Organization Name (eg, company): e.g. O=Lobaro GmbH
  • CN is Common Name (e.g. server FQDN or YOUR name): e.g. CN=up.lobaro.com
    • The CN must match your domain that is configured in the devices. It can also be an IP address.


Code Block
openssl req -new -key platform.key -sha256 -subj "/C=DE/ST=Hamburg/O=Lobaro GmbH/CN=up.lobaro.com" -out "platform.csr"

Verify your request with:

Code Block
openssl req -text -noout -in platform.csr

Request Certificate from Lobaro

Send the generated CSR file (platform.csr) to support@lobaro.de to receive a valid certificate for your Server.


Install the signed Certificate in the Platform

Add or update the following keys in the Platform configuration file:

Code Block
server:
  dtlsConfig:
    dtlsCertDir: "./config" # This way the configuration directory is used to lookup the key and cert.
    dtlsCertName: "platform" # Used to lookup "platform.crt" and "platform.key"
featureToggle:
  dtlsSecureCoapServiceEnabled: true # removed in > v1.59.1


Warning

We recommend to do no backup of the platform.key file. If it's lost, we can issue new certificates.

If you need to backup the key file make sure the backup is encrypted in a secure way.


In case you choose another location than "./config" the docker-compose.yml must be updated to mount the dtlsCertDir:

Code Block
services:
  lobaro-backend:
    volumes:
      - </host/path/to/cert-dir>:<dtlsCertDir>


To apply the Configuration restart the Platfrom:

Code Block
docker restart platform_lobaro-backend_1


Note

In case the commands fails with e.g.
Error response from daemon: No such container: platform_lobaro-backend_1 

Execute 

Code Block
docker ps | grep lobaro

You should find the container that is running the platform. The restart command can be issued with the CONTAINER ID or NAME